BehaviorAnalytics stopped collecting FailedLogon events

Dmitriy Kolesnikov 6 Reputation points
2022-05-02T14:38:39.777+00:00

Hi there.

Starting from April 2022 we experience the situation when the query to the BehaviorAnalytics table doesn't select any records with the ActivityType containing 'FailedLogOn'. And there are no records like that if you select the records without any filters.

I checked all connected logs and everything looks enabled.

Could you please guide me on how to fix this?

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,059 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,565 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Dmitriy Kolesnikov 6 Reputation points
    2022-05-02T15:41:24.787+00:00

    It seems the issue is caused by the issue with the Azure Premium P1/P2 license. Recently we updated the licenses for all in the company and some of those licenses don't work properly with Sentinel.

    0 comments No comments

  2. Andrew Blumhardt 9,771 Reputation points Microsoft Employee
    2022-05-02T15:46:44.003+00:00

    I would start by checking the source tables for activity. Make sure your AAD Audit and Signin Logs are flowing. Maybe reset the UEBA settings. It may need reauthorization.

    https://learn.microsoft.com/en-us/azure/sentinel/enable-entity-behavior-analytics

    0 comments No comments